David, It's also a good idea to segregate the user accounts that will be delegated OU admins into separate OUs. The Domain Administrator will control those OUs. You do not want to delegate control of an OU to a user or group that exists within that OU. This may give them the ability to modify their own or other accounts that have elevated privileges with consequences that may compromise your security model. Groups should segregated as well, groups are used to control access to resources, and therefore it is desirable to control the ability to modify group membership. Delegation to these highly sensitive OUs should be limited to a few or one trusted individual.
-------------------------------------- Robert Contreras III, MCSE/MCT INS - International Network Services [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Tuesday, June 10, 2003 10:28 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and GPO Design Comments Hey Tony, What's the thinking behind the recommendation "not to use Deny" for group filtering? -gil -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 12:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and GPO Design Comments If you use group filtering in this way, it is recommended not to use Deny. Instead use positive filtering. To do this, remove the Authenticated Users group from the ACL and then add the groups you want it to apply to using Apply Group Policy. Another approach would be to create an OU layer for delegation of administration, e.g. User, Computer, etc. and then have OUs at a level below these for the application of group policy. For example, under the Branch->Users OU you could have OUs called General, Lab, VIP, etc. Someone else made a point about separate OUs for workstations and laptops. This is certainly an option, but there may be a way to avoid this by using WMI filtering in the GPO. For example, WMI can identify the chassis type of the machine. Based on this information you could filter the GPO based on whether the chassis corresponds to a laptop or workstation. Tony ---------- Original Message ---------------------------------- Wrom: TZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSC Reply-To: [EMAIL PROTECTED] Date: Tue, 10 Jun 2003 00:04:25 -0400 I'm interested in feedback on the following OU and GPO design. Simple OU structure, something like: |--Branches |--Users |--Computers The "Users" OU would hold around 5000 users and the "Computers" OU an equal amount of workstations and servers. GPO's would be created for the users and linked to the OU, but only applied to certain global groups that the users would be members of. Similar for the computers. There would be an "All Users" and "All Computers" GPO with global settings, then more granular GPO's for departmental specific settings. Almost all administration would be done centrally, so there should be little need for delegation. This seems like it should be simple and effective, but we haven't tried it real-world, so I'm curious if people have any thoughts on possible gotcha's, issues, etc. -- David List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
